Microsoft is looking into a newly discovered security hole in its browser
that could expose people's private files to malicious Web site operators.
The security flaw surfaces as the software giant reels from a series of miscues involving
security breaches and software leaks.
The latest bug has to do with the way Microsoft's Internet Explorer browser
handles the Java programming language, according to veteran browser-bug
hunter Georgi Guninski.
The flaw lets a malicious Web site operator use a script to open a new
browser window. That window opens with the computer owner's security
safeguards.
Because IE normally lets the local computer user find files on the hard drive as well on the Web, the maliciously scripted window can display any file on a person's computer.
Scripts are lines of computer code that give browsers instructions to
execute actions without a person's interaction. Scripts can open pop-up
windows, run tickers across a screen, or double-check information entered
in online forms.
Internet Explorer comes equipped with a security mechanism that should
prevent Web authors from using scripts to peek from one window into another
with the minimum security safeguard. But Guninski's
exploit takes advantage of what he described as flaws in IE's Java
implementation to circumvent those mechanisms.
This isn't the first time Microsoft has grappled with weaknesses in IE's
cross-frame security. Microsoft tackled one such problem in
January, another in October and
a third in September.
The Achilles' heel of cross-frame security in this case is a combination of
Microsoft's Java implementation, the JavaScript scripting language, and the
document object model (DOM), a specification for transforming each element of a Web page into an
independent object that a script can manipulate.
According to Guninski, IE's Java implementation normally restricts the use
of JavaScript URLs so they cannot be used to get around cross-frame
security. But IE's Java implementation interacts with the DOM in such a way
that JavaScript can get away with that trick.
"The Java JSObject allows setting DOM properties from Java and allows
setting a hostile JavaScript URL to (a frame's) location," Guninski wrote
in a description of the bug posted to the Bugtraq security mailing list.
"This leads to circumventing cross-frame security policy."
Guninski posted a
demonstration of the exploit and recommended disabling Java or disabling
scripting of Java applets pending Microsoft's fix.
Microsoft said it was investigating the problem, which it learned of yesterday morning, and declined to comment further on the security hole pending its investigation.
Join the conversation
Comment replyThe posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
AstrologyDating.com is a new site that tries to find you your perfect love on the basis of birth date, birth time, and birthplace. But will it tell you the truth? Well, it asks you to pay only per match. So I tried it.
The Web fulminates when it is revealed that executives from VEVO--vehement music industry antipirates--played a pirated stream of an NFL playoff game at a party. VEVO claims it left its Wi-Fi unsupervised. Have we heard that argument before?
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
iPhones and Angry Birds aside, the arcade endures. Crave pays a visit--and offers up an homage to games and gamers of years past and a tribute to the possibly endangered, but not yet dead, atmosphere of the arcade itself.
Join the conversation